Flaw Causes Orange Livebox ADSL Modems to Leak WiFi Credentials

A flaw has been identified in Orange Livebox ADSL modems that causes the modems to “leak” WiFi credentials.

Orange Livebox is an ADSL wireless router used to deliver broadband services to customers of Orange S.A., a French multinational telecommunications company. The flaw was discovered by Troy Mursch, one of the co-founders of Bad Packets LLC, an information security research group. Mursch stated that the firm’s honeypots were being scanned with GET requests starting December 21. The scans, performed by at least one threat actor, were part of a larger targeted campaign of attacks on Orange Livebox ADSL modems.

The hackers are exploiting a flaw (CVE-2018-20377) in Orange Livebox ADSL modems that allows them to obtain the SSID and the Wi-Fi password of the devices in plaintext. If cybercriminals were to gain access to the modem, they could update the firmware and change device settings.

Finding which devices were affected by the flaw proved to be a straightforward task. Using the search engine Shodan, Mersch showed there are currently 19,490 of the vulnerable modems in use. A further 2,018 modems were not leaking data but exposed to the Internet.

If an attacker were to identify a vulnerable modem, exploiting the flaw is as simple as sending a GET request to “/get_getnetworkconf.cgi to obtain plaintext SSIDs and WiFi passwords. An attacker can also view the phone number of the customer and the MAC addresses and names of all connected clients. Mursch also found that password reuse was rife, and many devices had not set a custom password, instead they still used the default admin/admin credentials.

“They can obtain the phone number tied to the modem and conduct other serious exploits detailed in this Github repository,” Mursch said today in a security advisory published by his company.

The attack identified by Mursch appears to come from within Spain from a Telefonica Spain customer. It is currently unclear why attempts are being made to access the modems’ Wi-Fi credentials.

Mursch has reported the flaw to CCN-CERT, Orange, and Orange-CERT and the vulnerability is currently being investigated. It was determined that the attacker is carrying out scans for vulnerable devices is also located on the same network. However, it is unclear if he’s using his IP address to scan for other modems or one of the vulnerable modems itself.